1

I want to make well-known malicious programs, like Mimikatz and Incognito, undetectable by anti-virus solutions.

I have already tried various approaches myself, like packing the binary with UPX or modifying the source code in C/C++ (+ various compiler optimizations). Suffice it to say, that my source code modifications are not simple, but using various forms of refactoring and removal of unnecessary features.

However, while all my attempts have reduced the number of detections on virustotal.com, still the majority of anti-virus solutions flags the resulting binaries as malware.

How can I modify or obfuscate the programs, either at the source code or binary level, to make them undetectable by majority of anti-virus solutions?

Shuzheng
  • 1,097
  • 4
  • 22
  • 37
  • Why would anyone flag this as asking how to break the security of a specific system? Asking about a general antivirus evasion technique is _far_ from asking how to break a _specific system_. – forest Jun 26 '18 at 21:59
  • You might want to take a look at this : https://packetstormsecurity.com/files/127993/Bypass-Antivirus-Dynamic-Analysis.html or this : http://www.kali-linux.fr/forum/index.php/topic,2973.0.html which takes meterpreter as "well known malicious program". It's in french,but examples are self-explanatory – EinderJam Jun 26 '18 at 20:35

2 Answers2

0

How to make a well-known malicious programs undetectable by anti-virus solutions?

Just to be clear: In the body of the question you ask "How can I modify or obfuscate the programs... to make them undetectable..." This is not the question I am answering. I am providing an answer to the more general question posed in the title of the post. The reason for this is because it is difficult to answer the modify/obfuscate question without knowing exactly how the AV tools do their fingerprinting.

But anyways, one technique that I have found very helpful is to look at the configuration of the AV program. Often a unprivileged user can view the settings, even though they can not modify the configuration. In the settings there are often a number of "excluded" location. For example, a business may want to exclude certain "Program Files" subfolders from being scanned because it "trusts" the all executable in those folders.

If you find a "trusted" folder then just dump a 7zip/encrypted version of mimikatz (or whatever you want) into the trusted folder and unzip it in place there. Boom, you are in.

hft
  • 4,910
  • 17
  • 32
  • thanks for your post. Have you experience in using this technique from the command-line, i.e. does AVs normally provide command-line utilities to query excluded directories? – Shuzheng Jun 26 '18 at 20:01
  • No, I don't. Good luck. – hft Jun 26 '18 at 20:05
  • @Shuzheng Microsoft Security Essentials uses the registry to store exclusions, so you could read the keys. Other AVs might use the registry as well. I tried to write a .bat file to add to the exclusion list and I couldn't get it to work. I think the location in the registry required higher privileges. – mbomb007 Jun 26 '18 at 21:27
0

Other option that you have is to use metamorphism and polymorphic techniques. This will allow you to by pass some AV engines, depending on your code and on what you are doing but will be tedious for sure.

camp0
  • 2,172
  • 1
  • 10
  • 10
  • I know. But is there any tools available to transform the binary, or do you have to do it all yourself? – Shuzheng Jun 27 '18 at 05:12